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How to get put on the no-fly list... 



Why are you doing this? 



• Just an average Joe 

• Interest in ICS, Embedded and Medical devices 

• I travel a lot 



Lessons Learned by a Young Butterbar 

• Show respect 

• Accept Responsibility 

• Trust, but Verify 



Show me the Money... (budget.house.gov) 



• > 50,000 people at more than 400 airports across the country and an annual 
budget of $7.39 billion (2014) 



• TSA receives about $2 billion a year in offsetting collections under current law, 
through air-carrier and aviation-passenger security fees. The largest of the fees, in 
terms of total collections, is the Aviation Passenger Security Fee (sometimes 
called the September 11 th Security Fee), which brings in about $1.7 billion a year. 



By law, the first $250 million of passenger-security fees is set aside for the 
Aviation Security Capital Fund, which provides for airport-facility modifications 
and certain security equipment 



Show me the Money... 




One guy 




no budget 






and a laptop 



Disclosure 



All issues in this presentation were reported to DHS 

via ICS-CERT >6 months ago 



Response? 

• Our software "cannot be hacked or fooled" 

• "add their own software and protections." 

• <silence> 

• Spoke with Morpho last week 



Scenarios 



(1) TSA doesn't know about the security issues in 
their software 



(2) TSA knew about the security issues, developed 
their own custom fixes, never told the vendors... 
and is hording embedded zero day vulnerabilities 
and leaving other organizations exposed? 
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Figure 2-8 TDC Podium & CAT/BPSS 























TDC Podium 
CAT/BPSS (generic) 


1 per 2 lanes 
+ 1 for add numbered 

4 1 iF checkpoint f&eds. 
international flights 


* Non-dedicaled 

* 20A. 1 25V 1 BOVA/pcdiiMii 

* 2-Pole,, 3 -Wire Grounding 

* NEMA 5-20P, Duplex Receptacle 

* Power cord length is unknown atlhetime of this printing 


■ Data Drops = 2 

■ CatSe / Cat6 cable 

■ Tt*e cable length from the termination point in the IT 
cabinet to the data outlet in the work area shall not 
exceed 295" 1 . 

■ If da ta drop cannot be "secured when the checkpoint is 
closed, a locking device is required. Coordinate with 
T5A HQ IT Security. 


■ The TDC Function can be supported by 
either a TDC Podium or a CAT/BPSS. 

■ The CAT/BPSS may be on wheels or il 
may sit on floor. 




PASSENGER 



SIDE VIEW: PODIUM ELEVATION PLAN VIEW: PODIUM OR CAT/BPSS SIDE VIEW: CAT/BPSS ELEVATION 

(GENERIC) 
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2.3 BIN CART 



Bins are the gray containers located on a cart at the front and back 
of each checkpoint lane. Passengers use bins to divest themselves of 
their personal belongings such as purses, carry-on bags, backpacks, 
laptops, shoes, jackets, etc. Bin carts are similar to a hand cart or 
dolly that allows for the transport of a large number of bins without 
requiring excessive lifting or carrying by a TSA agent. In the past, 
bin transport by the TSOs was the primary cause of on-the-job 
injuries at checkpoints. Hand-carrying of bins is no longer endorsed 
by TSA. TSA recommends that bin carts be pushed upstream 
though an ADA or access gate. Ideally, an ADA or access gate should 
exist at every lane but this is not always possible. When there is 
insufficient space for an ADA or access gate, the bin cart should be 
pushed upstream against passenger flow - through the \VTMD. 

Bin carts can be one or two bins wide with bins stacked on top 
to slightly below the handle which equates to approximately 40 
bins. Each lane require; a bin cart at each end. TSA reco:v.:v.end£ 
maintaining about 60 bins per lane divided across each end. A fully- 
loaded bin cart should be located at the start of the divest tables on 



the non-sterile side of the lane for ijassen°;er mck-up. The other 
bin cart should be positioned at the end of the composure rollers on 
the sterile side so that the TSA ae;ent can collect empty bins after 
passengers have picked up their belongings. Refer to Figure 2-9 for 
bin cart dimensions. The bin cart width times two should be factored 
into the overall length of the checkpoint lane when designing a new 
checkpoint or reconfiguring an existing checkpoint. 



Figure 2-9 Bin Cart 
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Isometric Vcew 
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IT Requirements 


Additional Information 




■ Data Drops, = 2 

■ CalBe / Cafti cable 

■ The cable length from the termination point in 1he IT 
cabinet to the data outlet in the work area shall nc-1 
exceed 295'. 

■ If data drop cannol be -secured when the checkpoint i-s 
closed, a locking device is required. Coordinate wilh 
TSA HQ IT Security. 


* The IDC Function can be supported by 
either a TDC Podium or a CAT/EPSS. 

* The CA1YBP55 may be on wheels or it 
may sit on floor. 



Figure 4-1 SSCP Data Connectivity Diagram 
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(Si Homeland 
Security 

IT Program Assessment 
TSA- Security Technology Integrated Program (STIP) (2010) 

Review 

The DHS Chief Information Officer conducted a comprehensive program review of the TSA - Security 
Technology Integrated Program (STIP) on April 15, 2010. The STIP program, a joint effort co-funded by 
the Passenger Screening Program (PSP) and Electronic Baggage Screening Program (EBSP) ; is a TSA- 
wide Enterprise system that delivers data from passenger and baggage screening security technologies 
(in a common format) in order to facilitate data interchange/exchange through a single network for 
effective communication and metrics reporting. STIP has Enterprise Management, Configuration 
Management, Resource Management and Equipment Maintenance capabilities. 



TSAN ET Category X Airports 



A Quick Lesson on Backdoors 




I can't believe it, Jim. That girl's standing over there listening 
and you're telling him about our back doors? 



[Yelling] Mr. Potato Head! Mr. Potato head! Backdoors 
are not secrets! 

Yeah, but your giving away our best tricks! 



They're not tricks! 



A Word About Backdoors 

• Malicious account added by a third party 

• Debugging accounts that someone forget to remove 

• Accounts used by Technicians for Service and 
Maintenance 



Technician Accounts == Backdoors 

• Often hardcoded into the software 

• Applications which depend on the passwords 

• Business process which depend on passwords 

• External software which depend on passwords 

• Training which train technicians to use these passwords 



Technician Accounts == Backdoors 

• Can be discovered by external third parties (like me!) 

• Cannot be changed by the end user (in most cases) 

• Once initial work is completed, these passwords usually 
scale 



Raoiscan 522 



RAPISCAN THREAT 





HIT 



IMAGE PROJECTION- 




MISS 



Copyright © 1985-2001 
Microsoft Corporation 




Microsoft® 



Windows' 

Professional 



Microsoft* 



Rapsscair 



® 

Lorel3 Scan Mode 



systems 

An OSI Systems Company 



R«HU:- Bit* 
Lmlbrixi Eato- 




H USERS. CFG □ 



200 
201 
202 
203 
204 
205 
206 
207 
203 
209 
2 10 
2 11 
2 12 
2 13 
2 14 
2 15 
216 
2 17 
2 IS 
2 19 
220 



NUMB E R_E RG_E I T 
ENE RG Y_T YP E_F L AG 
C L AS S_TB L_C L AS S_D IV 
CLASS TBL ENERGY DIV 



[HAP_CONTROL] 

F UL L_H AP_F I L E 
SKIP HAP FILE 



[SYS_INFO] 

OPID_OPTION 0 

TT riATM J> T i~iD T T i~iT..T 



RAP PASSWORD 



U K 1 A ±1M_5 l.iJ L 1 Hi Li A i 

F OOTH AT_OP EN_D E L A Y 
HONOCHROHE_FLAG 
E XTR A_S C AN_C TRL 
B ID IR_SC AN_FL AG 
SAFETY TRIP OPTION 



12 
0 

349 
20 



349 
300 



After classify energy 

0 == DUAL ENERGY, 1 == HIGH, 2 == LOU 
349 ; 1st interval 349-240, 2nd 

301 900 ; 1st interval 0-100; 100-3 



C : \ rjy£4s£&n.\ r 52 2bp_f . map 
C : \ r^pj^a^\ J^&\ r 52 2bp_s . map 



; 0 = disable 
-D 0 = disable 



2830 



0 
0 



"TO 

50 

0 ; 0 = £oJ^£, 1 = monochrome 

0 ; 0 = disable (for Auto E^^feS^) 

; 0=FUD, 1=REV,2=BIDIR,3=FU+AB,4=REV+AB 
; 0 = disable 









LJ^FP 






UserJC - 


First_Name - 


Middle lni * 


Last Name - 


CharCntlnPa - 


Password 


w 


AccessCode - 

— — ■ 


Active Code - 






+ 


0011 Service 

1 




Engineer 


C 


0011 




1 


l| 




+ 


1234 Temporary 




SCREEN ER 


c 


1234 




7 


1 




* 












0 
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C \U se rs\B K\Desktop\Ra pi sc a n\ wor ki n g\SP F_ARS\D B AS E\US ER_RC R.CFC - Notepad 




File Edit Search View Encoding Language Settings Macro Run Plugins Window ? 

Nr%Gil?e|fl'b|44 



a \BM S 



q '-Id 



s? n G§q | a a e m 



a USER_RCR.CFG 



EEH Engineer SUB 



T- 



■0011 
■ ■ 



is QL 




ooiiai 



try{ 

if (Checkpassword()){ 
Authenticate(); 

} 

Else{ 

AuthFail(); 

} 

} 

catch{ 

ShowErrorMessage(); 
Authenticate(); 

} 



TIP - [List All] 



Main Report TIP Utilities Help 




Original Data: 



First Name 
M.I. 
Last Name 
User ID 
Company 



Password 



i"" 1 _ ._ ■ _ _ I 

iiHr\/ H I 
— — ■ ■ ■ — — i 



°: :<■:;-; :< :<;::■ ; ; :■ 



; p :■: :■: :■: :■: :■: k k kkk kkx k :■: :■: :■: :■: :■: J 
I 
I 



I 
I 
I 



I 
I 
I 
I 



00" 
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RAPISCAN THREAT 




IMAGE PROJECTION 




Name 



IS BOMB 
Ji CTI 
S GUN 
|£ HAZARD 
S KNIFE 
S OTHER 



8MM1AKCG.BMP 



8MM1AKCG.FTI 



£. 8MM1BKCG.BMP 

8MM1BKCG.FTI 

.& 8MM1CKCG.BMP 
2]8MM1CKCG.FTI 
[fflj8MM2AKCG.BMP 
~2\ 8MM2AKCG.FTI 
8MM2BKCG.BMP 
Q 8MM2BKCG.FTI 
[fflj8MM2CKCG.BMP 
Q 8MM2CKCG.FTI 
[ffl] GUN1V1.BMP 

21gunivi.fti 

[ffljGUNlV2.BMP 

QGUN1V2.FTI 
[ffl] GUN2V1.BMP 
~]GUN2V1.FTI 
[fflj GUN2V2.BMP 



E:\Rapiscan\TIM\GUN\CONV\8MMlAKCG.FTI - Notepad + + 



File Edit Search View Encoding Language Settings Macro Run Plugins Window ? 

0 dHe e ..e (B I Jr ih ih I a c I m ^ I -* I ca a I » \Wm\ 



@ 8MM1AKCG.FTI t3| 

|8HHlAKCGffiED)arian keychain gun, .32 cal il: el Ij^lIDiBl^maiimBl^maiimBl 



2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
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"TSA has strict requirements that all vendors must 
meet for security effectiveness and efficiency and 

does not tolerate any violation of contract 
obligations. TSA is responsible for the safety and 

security of the nearly two million travelers 

screened each day." 



http://www. bloomberg. com/news/2013-12-06/naked- 
scanner - maker - osi - systems -falls -on -losing- tsa- 

order . html 



"Questions remain about how the situation will be 
rectified and the potential for unmitigated threats 
posed by the failure to remove the machinery/ 1 the 
committee's Republican and Democratic leaders wrote in a 
Dec. 6 letter to the men. "It is our understanding that 
these new components -- inappropriately labeled with the 
same part number as the originally approved component -- 
were entirely manufactured and assembled in the People's 

Republic of China." 



http : //www. nextgov. com/def ense/2013/12/congress- 



r ills -tsa -Chinese -made -luggage- scanner - 



arts/75098/ 



The referenced component is the X-ray generator, 
a simple electrical item with no moving parts or 

software." 



He described the piece as "effectively, an X-ray 

light bulb." 



http: //www. nextgov. com/defense/2013/12/congress- 



r ills- tsa- Chinese -made -luggage -scanner- 



arts/75098/ 



Interesting Items 

• VxWorks on PowerPC 

• VxWorks FTP 

• VxWorks Telnet 

• Web server 

• Server: Allegro-Software-RomPager/4.32 

• WWW-Authenticate: Basic realm= M Browser M 



$ 192.168.0.102 - PuTTY 



value = 127 = 0x7f 
-> devs 



drv 


nance 


0 


/null 


1 


/tyCo/O 


1 


/tyCo/1 


2 


/aiaPipe 


5 


/bpf /dhcpc 


5 


/bpf/ dhcpc- a r p 


6 


/pty/telnet . S 




/pt y/telnet . M 


E 


/beeper 


3 


/ML Ice ypad/ 1 □ cal 


10 


/IOSIMkeypad/ 


5 


ZflashQ/ 


11 


/reader/tc / 1 o cal 


12 


/reader /bc/r emote! 


13 


/reader /bc/remote2 


14 


/ re ade r/bc/wand 


15 


/ reader/mag/ local 


16 


/led 


17 


/ re ade r/prox/ 1 □ cal 


IE 


/ r e a de r/prox/ r eir.o t e 



value = 1 = 0x1 
-> if Show 

fee (unit number 0} : 

Flags: (0x8063) UP BROADCAST MULTICAST ARP RUNNING 

Type: ETHE RNET_CSMACD 

Internet address: 192.168.0.102 

Broadcast address: 192.168.0.255 

Net mask: OxffffffOO Subnetmask OxffffffOO 

Ethernet address is 00:40:58:04:29:16 

Metric is 0 

Maximum Transfer Unit size is 1500 
0 octets received 
0 octets sent 
2210 packets received 
882 packets sent 
876 unicast packets received 
878 unicast packets sent 
1334 non-unicast packets received 
4 non-unicast packets sent 
0 input discards 
0 input unknown protocols 
0 input errors 
0 output errors 
0 collisions; 0 dropped 
lo (unit number 0) : 

Flags: (0x8069} UP LOOPEACK MULTICAST ARP RUNNING 

Type : SOFTWARE_LOOPBACK 

Internet address: 127.0.0.1 

Netrrask OxffOOOOOO Subnetrrask OxffOOOOOO 



Viiuc — u — 


UJLU 


-> cd "app" 




value = 0 = 




-> Is 

■ 




■ ■ 

M8M. jar 




WebC. out 




value = 0 = 


0x0 


-> D 





value = 25 = 0x19 
-> java 

Usage: java [-options] class 



where options include: 

-help print out this message 

-version print out the build version 

-v -verbose turn on verbose mode 

-debug enable remote JAVA debugging 

-naasyncgc no effect. Asynchronous GC support was removed, 

-verba segc print a ir.es sage when garbage collection occurs 

-noclassgc disable class garbage collection 

-ss<number> set the maximum native stack size for any thread 

-oss<number> set the maximum Java stack size for any thread 

-ms<number> set the initial Java heap size 

-mx<number> set the maximum Java heap size 

-mr<number> set the red heap reserve size 

-my<number> set the yellow heap reserve size 

- EKname >=< value > set a system property 
-classpath < directories separated by colons> 

list directories in which to look for application classes 
-boot classpath < directories separated by colons> 

list directories in which to look for system classes 
-Xrun<library>[ :< opt ion>=< value > f . . . ] 

load library on startup 
-verify verify all classes when read in 

-verif yreir.ote verify classes read in over the network [default] 

-noverify do not verify any class 

value = 1 = 0x1 
> I 



BootLir.e="£££g (0 , OJNull : /f lashO/o^/vxWork.sE e=132 .168 . 0 . 

ho s tr. ame= 1 1 Nnl 1 1 1 

ipAddr="132 . 168 . 0 . 102" 

3ubnetMa3k= M ffffff00 n 

Gateway" 132 .168.0.1 n 

deviceld= n 444444 11 

bQQtBuildI-Jbr= ll 1000 M 

f tpUnanfie= 1 1 Supe rUs er" 
ftpFa33Word= M 232303871 6 11 
basic Auth=" yes 11 
dlicp= n no ri 

dlicp L e a s eT irae= " - 1 1 1 
hostServerIP="127 .0.0.4" 
Ire yp a d= 1 1 te 1 eptio lie 1 1 



} 

String s€ = (String) ha slit able . get ( 11 TelnetChoice ") ; 

if (36 != null £■£■ s6 . coirpareTo ( D3Tran3action . yesNo [ I ] } = 1} 

i 

String si = MSMApp . devMgr . request ( " cat | Configuration | r. -/Farair.s^f Vr.arr.e^ " ) 
if (si. equals {"?") ) 



{ 



String s2 = MSMApp . devMgr . request ( "set | Configuration |: "/Farair.s^f tpUnair.e# Super User ") 



s2 = MSMApp . devMgr . request {"set | Configuration | nvFarair.j 
flag = true; 



^ftpFassword#2323098716 rr ) 



} else 



Protected Object 

21G.9.10G.24 hrmvi.0 401 Unauthorised 

San Francisco International Airport 

Added on 26 0 R - 20 14 WWW-Ruthent Icate: Basic rea lr<i="Browser" 

HI Boulder Qeet Content-Type: text^htm I 

Details Transfer-Encoding: chunked 

Seruer: fll legro-Sof tware-Ror v iPager^4. 32 

Con n ect I on : c L ose 




gt 400-1 login: 



HTTP/1.0 401 Unauthorised 

WWW-flu t h en t i cats: Basic rea Li*i="Browser" 

Con tent -Type: tent/htnl 

Tr an sf er-En cod i n g : oh u n k ed 

Seruer: fll legro-Sof tuare-RonPager^. 32 

Connection: close 



£20 UwWorks (5.4.2) FTP seruer ready 
530 Login fat led. 

21 4-Th e following commands are recognised: 
HELP USER PASS QUIT LIST MLST 
RETR STOR CWD TYPE PORT PWD 



Backdoors... 



• FTP and Telnet - SuperUser:23230987i6 

• config\devCfg.xml file 

• MaintValidation. class file within the m8m.jar 

• Web - KronosBrowsenKronosBrowser 



• -6000 on the Internet, two major airports 



Here's a thought... 



• Foreign made main board on TSA Net that can track which TSA 
personnel are on the floor at any given moment 

• Hardcoded FTP password/backdoor 

• Hardcoded Telnet password/backdoor which gives up a 
VxWorks shell 

• Hardcoded Web password/backdoor 



Does TSA know Kronos 4500 J s have Chinese 

made main boards? 



Does the TSA know the software has 

hardcoded backdoors? 



Trust but Verify the Engineering 





Itemiser* 


No Alarm - Ready 

Dual Mode 


Version 8.17 


Super User 2 



Log Off Clear Trigger 



Help 



Menu 



Prev. View Reset View 



Plasmagram 



Select Scan 



Intensity Map 



Processed 3D 



Measure Pan Zoom | 



Neg Ion Peaks Pos Ion Peaks 
Time Height Time Height l-^OOO 



Negative Ions: Cal:0,926 OffsetiO.OOO (Cal Units) 



- 



12 m 



Positive Ions: Cal:0.926 OffsetiO.OOO (Cal Units) 




I 



Explosives Temperature & Library 



Narcotics Temperature & Library 



Dual Temperature & Library 



Select Scan 



Intensity Map 



Processed 3D 



Measuri 



Pos Ion Pe Substance SelfiC ti 0n 

me H 



Name 



Standard 
Location 



Calibrated 
Location 



Selected 



Current 
Strength 



Alarm 
Level 





6.070 


6.555 


-0.040 +0.040 


yes 


0.00 


750.0 


NITRO 


3.S30 


4.136 


-0.100 +0.120 


yes 


0.00 


750.0 


RDX 


S.350 


6.857 


-0.040 +0.040 


yes 


0.00 


1000.0 


PETN 


7.SS0 


8.629 


-0.040 +0.040 


yes 


0.00 


150.0 


HMX 


7.070 


7.635 


-0.040 +0.040 


yes 


0.00 


1500.0 


AM N03 


4.532 


4.894 


-0.040 +0.040 


yes 


0.00 


1500.0 


TATP 


4.120 


4.449 


-0.040 +0.040 


yes 


0.00 


750.0 


TATP2 


4.440 


4.795 


-0.040 +0.040 


yes 


0.00 


750.0 


SmklsPwdr 


7.449 


8.044 


-0.040 +0.040 


yes 


0.00 


250.0 


COCAINE 


7. 936 


8.570 


-0.040 +0.040 


yes 


0.00 


750.0 


HEROIN 


8.822 


9.527 


-0.040 +0.040 


yes 


0.00 


500.0 


THC 


8.757 


9.457 


-0.040 +0.040 


yes 


0.00 


500.0 


METHAM 


5.753 


6.213 


-0.040 +0.040 


yes 


0.00 


500.0 


AMPHET 


5.664 


6.117 


-0.040 +0.040 


yes 


0.00 


500.0 


MDMA 


6.375 


6.884 


-0.040 +0.040 


no 


0.00 


500.0 


MDA 


6.275 


6.776 


-0.040 +0.040 


no 


0.00 


500.0 


MORPH 


7.596 


8.203 


-0.040 +0.040 


no 


0.00 


750.0 


Ephedrine 


5.953 


6.429 


-0.040 +0.040 


yes 


0.00 


1000.0 


Neg-CAL 


6.070 


6.555 


-0.080 +0.080 


no 


0.00 


1000.0 


Pos-CAL 


7.936 


8.570 


-0.080 +0.080 


no 


0.00 


500.0 




W Selected 



Add 



Modify 



Delete 



OK 



Cancel 



000 



h offset 



Itemiser 

• X86 (Pentium Processor) 

• Windows CE 

• Disk on chip with -7.5 meg main program 

• PS2, Floppy, USB 

• IrDA?!?!?!?! 



File System 

• ITMSCE.exe (Main Application) 

• Users.bin (User Accounts) 

• Config.bin (Settings for detection) 

• Options.bin 

• History.bin 

• Alarms (folder) 



in drive C is fic 
Serial Hunter is Z5Z5-15FB 
tory of C:\ 

SYS 33 84-82-82 9:38a 

i COM 18,526 82-14-97 6:22a 

TOEXEC BAT 51 89-38-82 l:Blp 

BIN Jfi,456,335 89-84-82 9:32a 

MBCEPC EXE 95,868 87-11-82 4:44p 

JC-SST BAT 269 89-38-82 2:43p 

THSU1H <DIR> 18-82-82 4:84p 

OMMfiNB COM 28,547 82-14-97 6:22a 

II HEM SYS 29,136 89-38-93 4:28a 

^ftL BIH 56 85-26-11 11:13a 

SERIAL HUH 12 85-13-84 lB:85a 
11 fileCs) 6,628,833 bytes 

119,793,664 bytes free 

C:^>copg ».sys a: 

Overwrite ft.vCOHFIG.SYS ( Yes/Ho/M 1 )?fi 
C.sHIHEH.SYS 

Z Filets) copied 

I C : v>copy » . uim *:_ 




Ltext:OOii31E10 
Ltext:0flii31E12 
Ltext:0flii31E15 
-text:0flii31E17 
-text:0flii31E1C 
-text:0flii31E1F 
-text:0flii31E21 
-text:0flii31E23 



xor eax, eax 
and ecx, 3 
rep mousb 

nou edi, offset a695372 ; "695372" 

or ecx , ui- 1- 1- 1- 1- 1- 1- 1- n 

repne scasb 

not ecx 

sub edi, ecx 



Name 



Security Level 




Operator' 1 



Maintenance 1 
Administrator 1 
Super User 1 
D. Hansen 
X Eqgen 

C. Henke 

D. Winger 
K. Eckelberg 
R. Owen 
p. Kempt 




Operator 



mm 

Maintenance 
Administrator 
Super User 
Administrator 
Operator 
Administrator 
Operator |||||| 
Administrate! 
Operator 
Operator 



Add 



Modify 




Measure 





Users on the user menu Itemiser 

• Operator 1 

• Maintenance 1 

• Administrator 1 
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Two Backdoor Accounts 

•Administrator 2: 838635 
• SuperUser 2: 695372 
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Ad viSOry (ICSA-1 4-205-01 ) More Advisories 

Morpho Itemiser 3 Hard-Coded Credential 

Original release date: July 24, 2014 



(=? Print 





.* Tweet 




I] Send 




Q Share 



Legal Notice 

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The 
Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained 
within DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further 
dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information 
about TLP, see http://www.us-cert.gov/tlp/. 



OVERVIEW 



Independent researchers Billy Rios and Terry McCorkle have identified hard-coded credentials in the Morpho Itemiser 3. 
Morpho has not produced a patch, update, or new version that mitigates this vulnerability. 



MITIGATION 

Morpho has decided not to address this vulnerability at this time. 

ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other 
cybersecurity risks. 



Blame the vendor? 



This is actually, TSA's Fault 

• TSA depends on this equipment to do their job 

• TSA operators do not have the expertise to detect exploited 
devices 

• TSA has not conducted adequate threat models on how these 
devices are designed from a cyber security standpoint 

• TSA has not audited these devices for even the most basic security 
issues 

• Vendors develop devices to meet TSA requirements 

• TSA certifies devices it deems satisfactory 

• We pay for all this... 



I hope that someone (maybe the GAO?) trusts 
what the TSA is telling us about their 

devices, but verifies the engineering is a 

reality 



If you have embedded devices, I would hope 
you would do the same for your devices 



BEFORE you fork over the $$! 



Questions? 



